Visual Network Threat Level Indicator

29,738

140

21

About: I like to tinker with just about anything, sometimes it works out in the end. Have fun looking at the projects, try tearing something open and let me know how it goes. cheers, -Joe

Intro: Visual Network Threat Level Indicator

Network monitoring is very important in todays world. The internet is a scary place. People have taken steps to raise their awareness by installing Intrusion Detection Systems(IDS) such as SNORT.

The problem with most of these systems is that upon first installing them they are vigilantly watched. After a week the allure wears off and they are no longer monitored, silently churning away in the depths of the network.

By moving the visualization outside of the computer we make it easier to notice, providing the information at a glance and to a larger audience.

The Visual Threat Level Indicator (VTLI) requires a network connection and power. It does not need to be directly attached to a computer, this way it can be placed anywhere there is network access.

A python script is run on the IDS which connects the the Arduino and updates the display.

Step 1: Parts

You will need the following:

-An IDS running SNORT  http://www.snort.org/
-Arduino Uno
-Arduino Ethernet Shield
-Arduino Proto Shield
-10x 470Ω resistors
-10 Segment LED bar graph
-Solder, wires, soldering iron

Step 2: Brief Overview

The VTLI process runs on the IDS and the Arduino.

The Arduino listens for incoming connections to update the display.

The IDS machine has a python script running that will look at the last 24 hours of the snort log to generate the threat level. It connects over the network to the Arduino to update the display. This should run out of cron an interval appropriate to the environment, 5 minutes is a good guess.

Step 3: Program Arduino

You need to attach the ethernet shield to the Arduino Uno, take note of the MAC address. Change this in the code attached. Also assign an IP address to the ethernet shield.

Step 4: Solder the Proto Board

You will need to solder the LED bar graph to the Proto Board.

Use pins 2-9 for the first 8 LEDS and pins 14,15 for the last two. Pins 10-13 are used for the ethernet shield and so they are off limits.

You will want to use current limiting resistors between the pins and the bar graph, 470Ω work nicely.

Attach the negative side of the LED to ground. The space on the bottom left of the proto shield works nicely.

Sandwich all three boards together.

Step 5: Process on IDS

On the IDS you will run a python script that connects to the a listener on the Arduino. Run this out of cron, say every 5 minutes for a constantly updating display.

The code is fairly resilient and will fail with helpful messages.

Be sure to change the IP address of the Arduino in the file.

Step 6: Test

Test that the python process can connect to the Arduino. Be sure to point it to the Snort log and the Arduino.

Step 7: Watch and Tune


Now that everything is running, you can tune the maxAlerts variable to suit your environment so you are not always in the red.
You have now moved your IDS signatures off of the screen and in to the real world, hopefully improving your situational awareness. Also you got to play with Arduinos!

Thanks for looking!

-Joe
 
Arduino Challenge

Finalist in the
Arduino Challenge

Share

    Recommendations

    • Plastics Contest

      Plastics Contest
    • Optics Contest

      Optics Contest
    • Electronics Tips & Tricks Challenge

      Electronics Tips & Tricks Challenge

    21 Discussions

    0
    None
    alex990

    5 years ago on Introduction

    Please I need help in step 5

    I can see there is 2 small resistors with blue color ... what they are for

    i'm stack in this step !! i'm doing my final project in uni

    hope you can help me

    Thanks

    0
    None
    simo90evo

    6 years ago on Introduction

    Hi guys! I'm trying to setup snort on mac, I've install it, and i tryied to modify the file config.snort, but I don't understand what i I've to do, which line I need to modify to create che log file alert.csv.

    can you help me please ?

    my email is simo90@me.com

    thanx!!!

    1 reply
    0
    None
    OCPik4chusimo90evo

    Reply 6 years ago on Introduction

    I would suggest posting/searching the snort website, they will be able to help you much better.

    0
    None
    vidtip22

    6 years ago on Introduction

    can anyone please help me with step 5 as i am not able to go through snort

    0
    None
    sgleason1

    6 years ago on Step 7

    Could you make an instuctable showing us how to do this with the xbee wifi protoshield. Personally I think that would be more helpful because then it could be placed anywhere within the networks range.

    5 replies
    0
    None
    joesgleason1

    Reply 6 years ago on Step 7

    Hey SGleason1 - I would love to make one of these with an Xbee. It will have to wait until I buy one though!

    -Joe

    0
    None
    sreecijoe

    Reply 6 years ago on Introduction

    Hello Joe, Thank you for the great project.
    Like S.Gleason pointed, if you could assemble one with Xbee, I would be highly interested in it. You may also have a thorough user info along with that.
    I am not a great Computer wizzard like you nice guys !!
    Kindly respond to my mail if that is possible, please.
    Thanks.
    Sincerely
    KJ Kumar
    kjkumarsfo@yahoo.com

    0
    None
    joesreeci

    Reply 6 years ago on Introduction

    Hey Sreeci and Sgleason - I ordered up an Xbee. So I'll post a new wireless instructable up when I get it in.

    -Joe

    0
    None
    sgleason1joe

    Reply 6 years ago on Introduction

    Sweet I can't wait to see it. I don't have an arduino yet or the knowledge of how snort works, but I thought that if you made it with an xbee it would be much easier to put into same sort of frame and keep around the house, or bring it into your living room while watching tv.

    0
    None
    joesgleason1

    Reply 6 years ago on Introduction

    Hey Sreeci and Sgleason - Here is a wireless version of the device:
    https://www.instructables.com/id/Visual-Network-Threat-Level-Indicator-v2/

    Thanks for looking.

    -Joe

    0
    None
    megaduty

    6 years ago on Introduction

    Hmmm,,, gotta get an Ethernet Shield now... Nice write up.

    0
    None
    joemr monoply33

    Reply 6 years ago on Introduction

    Hey Mr Monoply33 - It is an Avago HDSP4832, You can get it from Jameco here:
    http://www.jameco.com/webapp/wcs/stores/servlet/Product_10001_10001_1551402_-1

    -Joe

    0
    None
    Kaylonds

    6 years ago on Introduction

    Very nice project. But i always wonder why no one ever trys to run the Arduino with Power over Ethernet.

    2 replies
    0
    None
    joeKaylonds

    Reply 6 years ago on Introduction

    Hey Kaylonds - Thanks!

    As far as PoE, for me the reason is simple; I don't have a network switch which can provide PoE. I'm not sure how many home users do either.

    -Joe

    0
    None
    nubzzz

    6 years ago on Step 7

    How do you think this would do running with Suricata instead of Snort?

    1 reply
    0
    None
    joenubzzz

    Reply 6 years ago on Introduction

    Hey Nubuzz- If Suricata has a log, then it would work. If you can give me a sample of 2 lines from the log file, I'll update the python to have a suricata/snort switch.

    -Joe

    1
    None
    zmashiah

    6 years ago on Introduction

    Very nice!
    I like the use of Arduino showing important information, and Snort by all means is a good thing to monitor (and hopefully not too many false positive generated on your network). On the pictures I see a chip on the proto-shield, is that part of the circuit somehow or there from a something different?

    1 reply
    0
    None
    joezmashiah

    Reply 6 years ago on Introduction

    Hey Zmashiah- thanks! That chip is a 470Ω resistor network, you don't need it you can use individual resistors. I just had it on hand and find them easy to use.

    They can be found at Jameco #108581 http://www.jameco.com/webapp/wcs/stores/servlet/Product_10001_10001_108581_-1

    -Joe